Article

Website security for SMEs: the four pillars you cannot miss

HTTPS, regular updates, backups and malware scanning. Four pillars every business website needs, and why WordPress is especially vulnerable.

Short answer
  • Website security stands on four pillars: HTTPS/SSL (required for Google ranking and GDPR compliance), regular updates of CMS, theme and plugins (96% of hacked CMS sites run WordPress, Sucuri 2023), daily backups to an external location, and malware scanning with rapid incident response.
  • For WordPress sites security is especially urgent: every outdated plugin is a potential attack vector. Tools like Wordfence (free basic version) and Sucuri (paid, includes WAF) provide active protection. Let's Encrypt delivers free SSL certificates; Cloudflare adds a DDoS mitigation layer.
  • A managed care plan takes all these tasks off your plate for €39–€89 per month including hosting. Updates, backups, SSL renewal and security monitoring are handled, without you having to think about it.
The four pillars

What makes up good website security?

A secure website is not a state, but an ongoing process. Four pillars together determine the security level of your business website.

1. HTTPS and a valid SSL certificate

HTTPS encrypts all data between the visitor's browser and your server. Without HTTPS, Google Chrome shows the 'Not secure' warning, causing immediate trust damage. Search engines rank HTTPS sites higher than HTTP. The GDPR also requires appropriate technical measures for personal data: a contact form without HTTPS is a GDPR risk (Art. 32). Let's Encrypt provides free SSL certificates that renew automatically. Always verify the certificate is valid and not expired.

2. Regular updates of CMS, theme and plugins

The Sucuri 2023 Hacked Website Threat Report shows that 96% of hacked CMS websites run WordPress: not because WordPress is inherently insecure, but because outdated plugins and themes contain known vulnerabilities (CVEs) that automated attackers actively scan for. Every new plugin release patching a security issue indirectly publishes a list of vulnerable sites. Maintain a fixed update schedule: at least bi-weekly for WordPress, immediately for critical patches. For custom Next.js sites the same applies: npm dependencies with known CVEs require prompt updates.

3. Daily backups to an external location

A backup stored on the same server as the website is not a backup: ransomware encrypts both simultaneously. Good backups are daily, complete (files + database), stored at an external location (cloud storage, separate server), and demonstrably recoverable. Test the restore process at least once per quarter. Retain backups for a minimum of 30 days so you can return to a clean version from before a compromise that is only discovered later.

4. Malware scanning and incident response

Proactive malware scanning detects infections before visitors are affected. Wordfence (WordPress) offers a free scanner comparing files against the official WordPress repository. Sucuri SiteCheck is an external scanner analysing the public output of your site. Imunify360 provides server-level protection at managed hosting providers. Always set up uptime monitoring (e.g. via UptimeRobot or Freshping, both free basic version) so you receive an alert when downtime occurs, not via a customer who can't reach your site.

WordPress specifically

Why WordPress is especially vulnerable, and how to manage the risk

WordPress has a global market share of approximately 43% of all websites (W3Techs, 2024). That makes it an attractive target for automated attacks scanning for known plugin vulnerabilities. The risks are manageable with discipline: remove unused plugins and themes (every installed file is an attack vector, even if deactivated), use only plugins with active maintenance and more than 10,000 active installations, enable automatic updates for WordPress core and security updates, add two-factor authentication to the wp-admin account, and change the default login URL (wp-login.php) to reduce automated brute-force attacks. Considering WordPress for its large ecosystem but want fewer security worries? Read our honest comparison in the article about having a WordPress website built: including the pros and cons of the platform.

Frequently asked questions

Frequently asked questions about website security

Is my website already secured if the hosting provider handles it?
Partly. A good hosting provider handles server-level security: firewalls, DDoS mitigation, server updates and infrastructure monitoring. But application-layer security (your CMS, plugins, theme, form validation, upload controls) is your own responsibility. An outdated WordPress plugin remains vulnerable regardless of how well the server is secured.
How do I know if my website has been hacked?
Signs include: unknown administrator accounts, strange files or scripts in the installation, sudden traffic drops (Google removes compromised sites from the index), a 'This site may harm your computer' warning in Google, visitors being redirected to other websites, or your hosting provider sending an abuse notification. Use Sucuri SiteCheck (free) to scan your site's public output for known malware signatures.
What does website security cost in practice?
Let's Encrypt SSL is free and automatic. Wordfence basic is free; the paid version (approximately $119/year indicative, check wordfence.com) adds real-time rules. Sucuri's Website Security Platform costs indicatively $199–$499/year (check sucuri.net). A managed care plan at Delahaye Solutions (€39–€89/month) covers hosting, SSL, daily backups, security updates and uptime monitoring in one fixed monthly price.
Should I buy an SSL certificate or can I use a free one?
Let's Encrypt provides free, automatically renewing SSL certificates trusted by all modern browsers. Most managed hosting providers install Let's Encrypt automatically. Organisations wanting an extended validation (EV) or organisation validation (OV) certificate (visible in some browsers as a company name display) need paid certificates. For most SME websites Let's Encrypt is entirely sufficient.
How often should I test restoring a backup?
At least once per quarter. A backup you have never tested is a backup you do not know will restore correctly. Test on a staging environment: restore the backup, verify the site loads correctly, the database is intact and no files are missing. Document the test result with date.

Want someone else to handle this?

With a Delahaye Care plan you do not need to know how security works: we do it for you. SSL, updates, backups, monitoring. Book a free call.

Book a free call →

Free and without obligation · Reply within one business day · Fixed price up front, no surprises